CISA’s acting cyber chief Chris Butera and CIO Bob Costello highlighted the challenges facing the Common Vulnerabilities and Exposures program and plans to make changes, during appearances in Las Vegas last week.
The first eight years of the CVE program under CISA was the “growth era” for the initiative, Butera said on a McCrary Institute podcast, “and now we're shifting really to the quality era where we're asking the technology vendors to do more, to have better data quality that they're putting into the records.”
Butera said, “There are specific fields in the records that can help with us understanding classes of weaknesses. It's called Common Weakness Enumeration and what that will allow us to do” is to get a more complete picture of “what are the commonalities and the classes of weaknesses, the same types of vulnerabilities that are being found in all these different technology systems.”
Chris Butera, Acting Executive Assistant Director for Cybersecurity, CISA
The goal is to “can better drive innovation to remove these from software developments, these entire classes of weaknesses,” Butera said.
The CVE program is a partnership with MITRE. Funding provided by CISA for operating the CVE library nearly lapsed in April, but hours before it was going to expire CISA said in a statement that the agency “executed the option period on the contract to ensure there will be no lapse in critical CVE services.”
Funding for the library was extended for 11 months under the option.
Butera said CISA is “really excited to partner again. This is a government sponsored and funded program, but we work very closely with industry to continue to improve this program. And it's so foundational to the work that we do in our mission and I think the entire cybersecurity ecosystem.”
The McCary Institute podcast with Butera, Costello and moderator Frank Cilluffo, executive director of the institute, was recorded after an Aug. 7 panel at Black Hat and posted on Aug. 12. The panel featured Butera and Costello, with Cilluffo serving as moderator, and was billed as a discussion on CISA’s work to “protect the systems and infrastructure that Americans rely on every day from cyber and physical threats.”
Butera also discussed the future of the CVE program on an Aug. 5 panel at the Security BSides Las Vegas conference, where he was joined by GitHub’s Madison Oliver, Cisco’s Jerry Gamblin and Tod Beardsley of runZero. The panel was moderated by Bob Lord, senior vice president for digital security strategy at the Institute for Security and Technology.
Lord was a senior technical advisor at CISA before leaving the agency in May and one of the leaders of CISA’s secure by design initiative.
Cilluffo asked Butera about future funding for the program on the McCrary podcast.
Butera responded, “Absolutely, so we are continuing to fund the program. There's no questions around the importance of…funding this program for us. And again, we want to have as much engagement with the community as possible to continue to improve the quality of the data and I think even the tooling and automation that goes with it.”
Cilluffo also asked Butera and Costello to weigh in on the reauthorization of the Cybersecurity Information Sharing Act of 2015, which is set to expire on Sept. 30.
CISA exists to be a “center point for information sharing,” Butera said. “When you look at the cyber threat landscape, no single entity has that kind of full picture. We have a lot of visibility in the federal space, for example, but in critical infrastructure, we really rely on industry to give us kind of an understanding of what they're seeing to build that threat picture.”
Butera said, “And then together with our federal agencies and with our international partners and industry, we can pull together that information, synthesize it, and try to produce those insights back out to the community to make everyone more secure.”
“And CISA 2015 is a huge tool for us to do that. So we're very hopeful that Congress will reauthorize that for us,” Butera said.
Sean Plankey, President Trump’s nominee for CISA director, and Homeland Security Secretary Kristi Noem have backed reauthorizing CISA 2015 and lawmakers on both sides of the aisle agree that the law should be reauthorized.
Senate Homeland Security ranking member Gary Peters (D-MI) and Sen. Mike Rounds (R-SD) introduced legislation in April to extend CISA 2015 for 10 years and the Senate version of the fiscal 2026 Intelligence Authorization Act contains the 10-year extension.
On the House side, Homeland Security Chairman Andrew Garbarino (R-NY) and cyber subcommittee ranking member Eric Swalwell (D-CA) have stated that they want the law to be reauthorized, but have not introduced a bill to extend it. Garbarino is also chair of the cyber subcommittee. -- Sara Friedman (sfriedman@iwpnews.com)